This is my response to a post asking how many pages a general security policy
should be. It also expressed concerns about getting the salient points across.
I thought it might be of interest to you...
I would not limit a general security policy to any number of pages per se.
One way to keep it relatively compact is to write with the average employee as
the intended audience (e.g. the sales team does not need to know about the
system development life cycle). Departmental policies should detail how the
general policy applies in that functional area. The general policy should
include security best practices and be written with applicable regulations in
mind (e.g. SOX, HIPAA, etc.). This may push the content up to 30-40 pages.
Check SANS for policy resources (http://www.sans.org/resources/policies).
As for your concerns about employees picking up the salient points...
1. Ask the CEO to introduce the policy by e-mail with a letter stating that
security is everyone's responsibility, appointing an information security
steering committee, and a brief overview of the framework in use (e.g. ISO
17799, CoBIT, etc.). Repeat annually.
2. Create a power point presentation based on the policy. Hold security
orientation briefings for all employees and contractors. Record attendance with
a sign-in sheet and require everyone to sign off on the policy within 1 week.
That should be enough time to answer outstanding questions and consider
possible exceptions. Repeat the briefings annually and brief new employees as
they are hired.
3. Create an internal security web site. Post the policy, presentation,
incident report template, security awareness tips, etc.
4. Start a formal security awareness program:
http://www.ussecurityawareness.org/highres/security-awareness.html
In essence, the policy is just that, a policy. Getting the point across speaks
to a change in culture. For that an awareness program is required.
Just my $.02.
Kind regards,
Gideon
Gideon T. Rasmussen
CISSP, CISA, CISM, CFSO, SCSA
Boca Raton, FL
gideon@infostruct.net
